Hi list, I have samba-3.0.2-2 rpm installed on Redhat Enterprise Linux 3 AS kernel version. I've been using the Samba 3 How-To and messages on various mailing lists to join Samba to an AD domain and authenticate using winbind/pam. So far Samba has successfully become a member of the AD domain and can browse file servers using smbclient but I haven't been able to get winbind working - specifically wbinfo -u, wbinfo -g and wbinfo -t return errors. Below is a dump of the install/configuration process so far and the relevant config files. Any help on this is much appreciated as I've spent 3 days trying to get it to work and it refuses to for love nor money!
# rpm -ivh samba*.rpm #rpm -q samba samba-3.0.2.2 #rpm -qa | grep openldap openldap-2.0.27-11 openldap-devel-2.0.27-11 openldap-clients-2.0.27-11 #rpm -qa | grep krb krbafs-1.1.1-11 krbafs-utils-1.1.1-11 krbafs-devel-1.1.1-11 krb5-libs-1.2.7-19 krb5-workstation-1.2.7-19 pam_krb5-1.70-1 krb5-devel-1.2.7-19 krb5-server-1.2.7-19 Edit /etc/samba/smb.conf [global] realm = KERBEROS.REALM security = ADS encrypt passwords = yes password server = kerberos.server Edit /etc/krb5.conf [libdefaults] default_realm = KERBEROS.REALM [realms] KERBEROS.REALM = { kdc = kerberos.server - should :88 be appended to this line? } [domain_realms] .kerberos.server=KERBEROS.REALM #net ads join -U administrator password: Joined 'SERVERNAME' to realm 'DOMAIN' #kinit [EMAIL PROTECTED] password: #smbclient //servername/share -k smb // > Up to here everything is OK and the server account can be seen in AD. #ls -l /lib | grep libnss_winbind libnss_winbind.so -> libnss_winbind.so.2 Edit /etc/nsswitch.conf passwd: files winbind shadow: files group: files winbind #ldconfig -v | grep winbind libnss_winbind.so -> libnss_winbind.so.2 Edit /etc/samba/smb.conf [global] realm = KERBEROS.REALM security = ADS encrypt passwords = yes password server = kerberos.server winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash #testparm Load smb config file from /etc/samba/smb.conf Loaded services file OK 'winbind separator = +' might cause problems with group membership server role: ROLE_DOMAIN_MEMBER #net rpc join -S PDC -U administrator password: Joined domain DOMAIN #winbindd -B # wbinfo -u Error looking up domain #wbinfo -g Error looking up domain # wbinfo -t Checking the trust secret vi RPC calls failed Error code was (0x0) Could not check secret #wbinfo -p Ping to winbindd failed on fd-1 Could not pin winbindd! # ps -ae | grep winbindd PID winbind PID winbind This is the output from /var/log/samba/log.winbind [2004/02/13 13:35:47, 1] nsswitch/winbindd.c:main(843) winbindd version 3.0.2 started. Copyright The Samba Team 2000-2004 [2004/02/13 13:35:47, 0] libsmb/cliconnect.c:cli_session_setup_spnego(724) Kinit failed: Preauthentication failed [2004/02/13 13:35:47, 1] nsswitch/winbindd_util.c:add_trusted_domain(166) Added domain INFORMA-UK uk.informa.com S-1-5-21-1547161642-839522115-68200333 0 [2004/02/13 13:35:47, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269) krb5_cc_get_principal failed (No credentials cache found) [2004/02/13 13:35:47, 0] libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password HOST/[EMAIL PROTECTED] failed: Preauthenticati on failed [2004/02/13 13:35:47, 1] nsswitch/winbindd_ads.c:ads_cached_connection(65) ads_connect for domain INFORMA-UK failed: Preauthentication failed [2004/02/13 13:35:47, 1] libsmb/clikrb5.c:ads_krb5_mk_req(276) krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot find KDC for requested realm) [2004/02/13 13:35:47, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(516) spnego_gen_negTokenTarg failed: Cannot find KDC for requested realm [2004/02/13 13:35:47, 1] nsswitch/winbindd_util.c:add_trusted_domain(166) Added domain INFORMA informa.com S-1-5-21-872949640-2421699758-2984176268 [2004/02/13 13:35:48, 1] nsswitch/winbindd_util.c:add_trusted_domain(166) Added domain DEFAULT S-1-5-21-2136767079-1738235858-945835055 [2004/02/13 13:35:49, 1] nsswitch/winbindd_util.c:add_trusted_domain(166) Added domain AGRA_UK S-1-5-21-591026277-1029915393-619646970 [2004/02/13 13:35:50, 1] nsswitch/winbindd_util.c:add_trusted_domain(166) Added domain MRC_UK S-1-5-21-1670978810-1498184290-1845911597 [2004/02/13 13:35:50, 1] nsswitch/winbindd_util.c:add_trusted_domain(166) Added domain LLP S-1-5-21-2047764551-82006601-1874078741 [2004/02/13 13:35:51, 1] nsswitch/winbindd_util.c:add_trusted_domain(166) Added domain CODA S-1-5-21-1310659078-2099469345-1236795852 [2004/02/13 13:35:52, 1] nsswitch/winbindd_util.c:add_trusted_domain(166) Added domain INFORMA_ASIA S-1-5-21-1008349960-465597267-314601362 [2004/02/13 13:35:53, 1] nsswitch/winbindd_util.c:add_trusted_domain(166) Added domain TEST.COM S-0-0 [2004/02/13 13:35:53, 1] libsmb/clikrb5.c:ads_krb5_mk_req(276) krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot find KDC for requested realm) [2004/02/13 13:35:53, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(516) spnego_gen_negTokenTarg failed: Cannot find KDC for requested realm [2004/02/13 13:35:53, 1] nsswitch/winbindd_util.c:add_trusted_domain(166) Added domain AGRA agra.informa.com S-1-5-21-1801674531-2139871995-1177238915 [2004/02/13 13:35:53, 1] libsmb/clikrb5.c:ads_krb5_mk_req(276) krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot find KDC for requested realm) [2004/02/13 13:35:53, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(516) spnego_gen_negTokenTarg failed: Cannot find KDC for requested realm Again thanks for any help with this. Simon ******************************************************************************** The information contained in this email message may be confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Although this message and any attachments are believed to be free of viruses, no responsibility is accepted by Informa for any loss or damage arising in any way from receipt or use thereof. Messages to and from the company are monitored for operational reasons and in accordance with lawful business practices. If you have received this message in error, please notify us by return and delete the message and any attachments. Further enquiries/returns can be sent to [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba